New Cybersecurity Chief Shares Govt's Roadmap for CybersecurityPant Spoke at ISMG's Fraud and Breach Summit in Bengaluru
Despite multiple government agencies being formed to fight cybercrime, efforts need to be made for better coordination between them, said Lt Gen (retd) Rajesh Pant, the newly appointed national cybersecurity coordinator, PM Office, Government of India, at ISMG's Fraud and Breach Summit held in Bengaluru on May 21.
Pant, who was a keynoter, said that there is a long way to go for government when it comes to leveraging the latest technologies in the cybersecurity space. He also outlined his plans for the year. "We plan to revisit some old frameworks which were designed years ago. It's about time we updated them. Also, we need to ensure that government departments hire only qualified CISOs and not promote someone to the position only because there is a mandate to fill in the post," he said. Pant emphasised on the need to have regular audits and VAPT tests done.
He said he plans to engage more with the industry. The thought resonated well with the 350+ practitioners who attended the summit.
Data localisation, data identification and cyber training for employees were some of the key challenges pointed out by practitioners and security leaders at the summit.
At the same time, technology topics such as user behavioural analytics, endpoint detection and response, risks with digital transformation were also discussed at the summit.
Here are a few topics the speakers and panellists addressed:
The Data Localisation Debate
A 10-member panel formed by the government of India last year come out with a Data Protection Bill for the country in line with European Union's General Data Protection Regulation. Apart from talking about data protection, the bill also touched upon data localisation requiring companies to store data locally.
Data localisation has been vehemently opposed especially by multinational firms. In a fireside chat with Justice B.N. SriKrishna [the architect of India's Data Protection Bill], Rahul Matthan, fellow with Takshashila's Technology and Policy Research Programme, questioned the need to have complete data localisation or the necessity to store mirror image of data locally. "I doubt if data localisation in any way will lead to more security of data," Matthan said. "While storing sensitive personal data locally makes sense, one can't have a blanket requirement for every industry."
Srinivas Rao M, co-founder and CEO at Aujas Networks, echoed the sentiment. "I understand such a requirement for the financial industry. But for the need of one industry, the entire economy cannot suffer."
Countering these arguments, Justice Srikrishna remarked, "We have seen multiple cases where for years a simple case could not be closed because required data is stored on servers which are located beyond our borders."
When pointed out that India will lose its economic advantage, as localization will lead to increase in cost for businesses, Justice Srikrishna said, "We have various other acts in the country which leads to increase in cost of businesses. That has never deterred companies from investing in India, and I do not see a reason why data localization will lead to companies shutting down in India".
Data Identification Challenge
Subhajit Deb, CISO at Dr Reddy's Laboratories, in his presentation on GDPR Compliance said that data identification remains a big challenge for enterprises trying to be GDPR complaint. "With more smartphone connections and IoT devices, it is nearly impossible to know where all my data lies," Deb said. "Furthermore, most organizations have a habit of collecting more information than required."
Deb went on to say: "It is important to realise that more the data we collect, more are we increasing our liability. So data minimization is the key. Collect only as much data as required. It is also important to main data flow diagrams as well as classify data."
Maheswaran S, regional director, India and SAARC at TITUS, also believes that effective data identification can go a long way in accelerating data protection. "There are various tools available in the market which can help map critical data. Even machine learning can be leveraged for identification of critical data," he said in his presentation on Accelerating Data Protection Through Effective Data Identification.
Training for Cybersecurity Pros
Most practitioners agreed that technologies alone cannot help in fighting cybercrime. While most organizations insist on multiple cybersecurity certifications for their employees, there is a greater need to make a shift from theoretical to practical training, said Rakesh Kharwal, managing director, APAC at Cyberbit.
"As much as practical training for doctors and pilots are necessary, the same is required for cybersecurity professionals," Kharwal said. "Many big organizations are understanding this and incorporating breach simulation programmes.
"The smaller firms can take this as a service and conduct simulations once a year in their organizations."
Inside the DarkWeb
Brijesh Singh, inspector general of police-cyber, Government of Maharashtra, gave some interesting insights from the DarkWeb and questioned whether the creating a malware to submit evidence in the court can be justified. He also emphasized the need to have a balance between privacy and security. "Privacy cannot be a place to commit crime. There have been cases where we had to invade privacy to know about certain attacks plans by criminals."
At the same time, Singh said that the law needs to follow a due process. "We can't create a malware and let it be. We also need to have a mechanism to destroy it. Similarly, we must not find every small excuse to invade privacy of people."